The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

Jail time for refusing to comply with mandatory key disclosure hasn't occurred in the United States yet. But, it's already happening in jurisdictions such as the UK, where a 33-year-old man was incarcerated for refusing to turn over his decryption keys and a youth was jailed for not disclosing a 50-character encryption password to authorities.

Similarly harsh, key disclosure laws also exist in Australia and South Africa which compel individuals to surrender cryptographic keys to law enforcement without regard for the usual common law protection against self-incrimination.

Key disclosure laws may become the most important government tool in asset seizures and the war on money laundering. When charged with a criminal offense, that refers to the ability of the government to demand that you surrender your private encryption keys that decrypt your data. If your data is currency such as access control to various amounts of bitcoin on the block chain, then you have surrendered your financial transaction history and potentially the value itself.

These laws will impact not only money laundering prosecution but almost any asset protection strategy that attempts to maintain an element of financial privacy such as private banking or family trusts. Prior to all these money laundering laws being enacted, I once heard it said that the practice of moving money around was simply referred to as banking.

Doug Casey famously said that "it's a completely artificial crime. It wasn't even heard of 20 years ago, because the 'crime' didn't exist." Furthermore he said, "The War on Drugs may be where 'money laundering' originated as a crime, but today it has a lot more to do with something infinitely more important to the state: the War on Tax Evasion." And, if they can't track it from the outside via the banks and financial institutions, they'll track it from the inside via access to an individual's passwords and private keys.

In the United States, relevant case law has revolved around the Fifth Amendment privilege against self-incrimination as there is currently no specific law regarding key disclosure. The definition of a password is alarmingly broad too -- all the way from an extension of your personal memory to an illegitimate tool that only hides something tangible from law enforcement.

The first case to address directly the question of whether a person can be compelled to reveal his or her encryption keys or password was In re Grand Jury Subpoena to Sebastien Boucher in 2009. Here a magistrate judge ruled that producing the passphrase for the encrypted hard drive would constitute self-incrimination, but on appeal the District Court overturned that decision, holding that decrypting and producing the complete contents would not constitute self-incrimination since Boucher initially cooperated in showing some of the computer files to border agents.

Next, there was the federal criminal case of United States v. Fricosu in 2010 in which the Federal District Court ordered a criminal defendant to decrypt the contents of an encrypted laptop. Although the defendant claimed Fifth Amendment rights against self-incrimination and the Electronic Frontier Foundation (EFF) filed an amicus curiae brief, the Court sided with the government in ruling that since defendant admitted to ownership of the laptop and knowledge of the passwords in a recorded conversation, the existence of evidence was a "forgone conclusion" and therefore Fifth Amendment privilege could not be implicated. In early 2012, the Tenth Circuit Court of Appeals rejected an appeal and let that decision stand.

In a blog post, Orin Kerr cited In re Weiss (703 F. 2d 653) in summarizing testimonial obduracy and what a future Court's likely posture would be if defendant refuses to comply with a key disclosure order or claims to have forgotten the password. On the specific Fifth Amendment issue in United States v. Fricosu, Kerr states:

If I’m reading Fricosu correctly, the Court is not saying that there is no Fifth Amendment privilege against being forced to divulge a password. Rather, the Court is saying that the Fifth Amendment privilege can’t be asserted in a specific case where it is known based on the facts of the case that the computer belongs to the suspect and the suspect knows the password. Because the only incriminating message of being forced to decrypt the password — that the suspect has control over the computer — is already known, it is a “foregone conclusion” and the Fifth Amendment privilege cannot block the government’s application.

In another case upholding the constitutional right against forced decryption, the Eleventh Circuit Court of Appeals in United States v. Doe on February 24th, 2012 overturned a contempt of court ruling for refusing to decrypt. Arguing that without any specific knowledge of a hard drive's file contents or file existence, the government cannot assert that certain items can be described with "reasonable particularity" and therefore compelling a defendant to produce those files would violate the Fifth Amendment's protection against self-incrimination. The Electronic Frontier Foundation (EFF), which again filed an amicus curiae brief in the case, called it a major victory for constitutional rights in the digital age.

To say the cryptocurrency bitcoin is disruptive would be an understatement. Bitcoin not only disrupts payments and monetary sovereignty, it also disrupts the legal enforcement of anti-money laundering laws, asset seizure, and capital controls. It is very likely that a key disclosure case will make it to the U.S. Supreme Court where it is far from certain that the Fifth Amendment privilege, as it relates to a refusal to decrypt bitcoin assets, will be universally upheld.

Many observers have suggested defensive techniques that deploy TrueCrypt disk encryption with hidden volume partitions or PGP Whole Disk Encryption rendering the entire computer unbootable thereby making even file time and date stamps unavailable. Another legal strategy to complicate matters could be to split the passphrase with another person and claim that you are never in possession of the entire real passphrase. Then, at least there would be "plausible deniability" as to who provided the invalid portion of the passphrase or you would have a cellmate if held in contempt.